Managing security vulnerabilities is difficult not just because vulnerabilities may be hard to detect, but also because there are so many different types of vulnerabilities out there. Fortunately, tools and techniques are available that can address the various kinds of vulnerabilities that may lurk within any layer of your technology stack.
What is a security vulnerability?
A security vulnerability is an error or flaw within an IT resource that could be exploited by attackers.
As explained in further detail below, these errors or flaws could take a variety of forms. A security vulnerability could be a coding mistake within application source code that can be used to launch a buffer overflow attack. It could be an oversight by developers who forget to validate input properly within an application, thereby enabling injection attacks. It could be a misconfiguration within an access control policy or a networking configuration that grants outsiders access to sensitive resources.
Security vulnerability vs. exploit vs. threat vs. breach
You may hear the terms “security vulnerability,” “exploit,” “threat” and “breach” used in close proximity. However, although these terms are closely related, they each refer to different parts of the chain of events that may lead to a security incident:
- A security vulnerability is a flaw that can potentially be exploited to launch an attack.
- An exploit is the method that takes advantage of a vulnerability in order to execute an attack. The injection of malicious code into an application could be an exploit.
- A threat is the set of conditions that must be present for an exploit to work. A threat may only exist when software is running on a certain operating system or when attackers have access to a certain interface, for instance.
- A breach is an active attack. Breaches take place when threat actors successfully execute an exploit.
Because security vulnerabilities form the foundation for the chain of exploits, threats and breaches described above, detecting vulnerabilities is the best way to nip security risks in the bud. If you eliminate the vulnerability, you also remove the exploits, threats and potential breaches that can result from the vulnerability.
Main types of security vulnerabilities
While there is a wide variety of security vulnerabilities that could potentially exist within an IT environment, most vulnerabilities fall into one of four categories:
- Malicious code:Code that malicious parties insert into a codebase, such as malware, can be exploited to gain unauthorized access to systems or take control of applications.
- Misconfigurations: Configuration mistakes like a cloud Identity and Access Management (IAM) rule that provides public access to sensitive data may lead to breaches.
- Coding flaws: Coding mistakes or oversights — such as failure to perform input validation in order to detect application input designed to gain unauthorized access — can lead to exploits.
- Lack of encryption: Data that is not properly encrypted, either at rest or in transit over a network, is vulnerable to attack.
How to detect application security vulnerabilities?
Because security vulnerabilities come in many forms, detecting them requires a multi-pronged approach. A variety of techniques are available to help discover security risks.
Static Application Security Analysis
Static Application Security Analysis, or SAST, is a category of security testing that scans source code and (in some cases) binary code to identify vulnerabilities within it. Typically, SAST looks for vulnerability “signatures,” such as dependencies that are known to be insecure.
Application Security Analysis
Dynamic Application Security Analysis, or DAST, identifies vulnerabilities by automatically launching active attacks against applications inside test environments. Attacks that are successful reveal vulnerabilities within the application.
In penetration testing, security testers manually seek to identify and exploit vulnerabilities. Penetration testing is different from DAST in that penetration testing involves security experts actively looking for vulnerabilities, whereas DAST relies on automated attack emulation.
Image scanners, such as JFrog Xray, detect vulnerabilities in software after it has been compiled or packaged. As such, image scanners are useful for identifying vulnerable dependencies or configurations within an application package that may invite attack. For example, an image scanner could check a container image to determine whether any of the image’s dependencies contain vulnerabilities.
Configuration auditing tools are typically used to validate the configuration of infrastructure that hosts applications, as opposed to applications themselves (although in some cases configuration audits can be performed on configuration files that define application settings).
For instance, a configuration audit of a cloud environment could detect insecure IAM rules or networking configurations. Alternatively, a configuration auditor could be used to scan a Kubernetes environment to detect misconfigurations in Kubernetes security contexts, network policies or other settings that weaken the security posture of the environment.